sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

Yuki - The function setUSD1 forgets to set the min/max price tolerance of the token, which if unnoticed leads to the revert of the swap function when `priceQuoteToken == USD1`. #82

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Yuki

medium

The function setUSD1 forgets to set the min/max price tolerance of the token, which if unnoticed leads to the revert of the swap function when priceQuoteToken == USD1.

Summary

The function setUSD1 forgets to set the min/max price tolerance of the token, which if unnoticed leads to the revert of the swap function when priceQuoteToken == USD1.

Vulnerability Detail

When adding tokens to the pool, the function addTokensAndPairs is enforced to always set the min and max tolerance of the token added.

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/TokenManager.sol#L249-L253

However this doesn't happen when updating the address of the USD1 token. This is problematic and if unnoticed will result to the revert of the swap function.

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/TokenManager.sol#L223-L231

The revert will occur when priceQuoteToken == USD1, as the function _checkPrice requires that the min/max price is above zero. As this prices weren't set, they will have a default value of zero and the function swap will revert.

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L438-L440

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L595-L600

Impact

The swap function reverts when priceQuoteToken == USD1, if the USD1 token is updated without setting the min/max tolerance of it

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/TokenManager.sol#L96-L98

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/TokenManager.sol#L223-L231

Tool used

Manual Review

Recommendation

Make sure when the USD1 token is being updated, it also sets the min/max tolerance of the new token.

    function _setUSD1(address token, uint256 minPrice, uint256 maxPrice) internal {
        address oldToken = address(usd1);
        if (oldToken != address(0)) {
            _removeToken(oldToken);
        }

        _addToken(token, uint8(TokenType.Stable));
        _setMinMaxPriceTolerance(token, minPrice, maxPrice);
        usd1 = IERC20Token(token);
    }